CHFI · topic practice

Malware Forensics practice questions

Practise Computer Hacking Forensic Investigator CHFI Malware Forensics practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
16 questionsDomain: Malware Forensics

What the exam tests

What to know about Malware Forensics

Malware Forensics questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Malware Forensics exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Malware Forensics questions

16 questions · select your answer, then reveal the explanation

During a malware investigation, an analyst discovers a suspicious file with a hash value that matches known malware. However, the file fails to execute and does not exhibit any malicious behavior in a sandbox. What is the most likely reason for this discrepancy?

An organization suspects a stealthy malware infection on a critical server. Traditional antivirus and EDR solutions have not detected anything. Which forensic approach would be most effective in identifying the malware, given that it likely resides only in memory?

A security analyst is tasked with reverse engineering a suspected malware sample. Which initial step should the analyst take to ensure safe handling and prevent accidental infection?

During malware analysis, an investigator finds that a suspicious process is injecting code into a legitimate system process (e.g., explorer.exe). Which technique is being used?

Which TWO of the following are common indicators of a rootkit infection on a Windows system?

Which THREE of the following are best practices for conducting malware forensics in a safe and effective manner?

Refer to the exhibit. An investigator is examining a disk image using TSK. The output from 'fls' shows the directory structure. What is the significance of the entry 'V/V 113-128-1: $OrphanFiles'?

Exhibit

Refer to the exhibit.

C:\> fls -f ntfs -o 2048 image.dd
r/r 4-128-3: $AttrDef
r/r 8-128-2: $BadClus
r/r 6-128-2: $Bitmap
r/r 7-128-1: $Boot
r/r 11-128-3: $Extend
r/r 2-128-1: $LogFile
r/r 0-128-1: $MFT
r/r 1-128-1: $MFTMirr
r/r 9-128-8: $Secure
r/r 10-128-1: $UpCase
r/r 3-128-3: $Volume
r/r 108-128-2: Users
r/r 109-128-3: ProgramData
r/r 110-128-2: Windows
r/r 111-128-1: Program Files
r/r 112-128-1: Program Files (x86)
V/V 113-128-1: $OrphanFiles
r/r 114-128-3: autoexec.bat
r/r 115-128-1: config.sys

You are a forensic analyst investigating a suspected malware infection on a Windows 10 workstation. The user reports that the system has been slow and that unexpected pop-ups appear. You have acquired a memory dump and a disk image. During analysis, you find a suspicious process named 'svch0st.exe' running with PID 4567. The process has loaded several DLLs, including 'wininet.dll' and 'ws2_32.dll'. You also find that the process has an active TCP connection to an external IP address 203.0.113.5 on port 4444. In the disk image, you find an executable file at C:\Users\Public\svch0st.exe with a creation date that matches the start of symptoms. The file's hash is not in any known malware database. You decide to perform dynamic analysis by running the file in a sandbox. However, the sandbox environment has no network connectivity. The executable runs but does not exhibit any malicious behavior. What should you do next to determine if the file is malicious?

Which TWO techniques are commonly used to evade detection by antivirus software in packed malware?

Question 10mediummultiple choice
Read the full Malware Forensics explanation →

Based on the exhibit, what is the most likely indication of malware persistence?

Exhibit

Refer to the exhibit.

C:\Users\Admin> sc query | findstr /i "service"
SERVICE_NAME: WinDefend
DISPLAY_NAME: Windows Defender Antivirus Service
STATE: 4 RUNNING

C:\Users\Admin> tasklist /svc
Image Name PID Services
================= ======== ============================================
svchost.exe 1234 WinDefend
svchost.exe 5678 BFE, MpsSvc
services.exe 4321 

C:\Users\Admin> netstat -ano | findstr :4444
  TCP    0.0.0.0:4444   0.0.0.0:0    LISTENING     4321

You are investigating a Windows 10 workstation that exhibits slow performance and frequent pop-ups. The user reports that the system started acting strangely after installing a 'PDF Converter' from an email attachment. You suspect malware. You have captured a memory dump using FTK Imager and a network capture during the infection. In the memory dump, you find a suspicious process 'conhost.exe' running from a non-standard location (C:\Users\Public\Temp). The process has an open handle to a file named 'config.ini' in the same directory. The network capture shows periodic HTTPS connections to 'malicious.com' on port 443 from the workstation's IP. Using Volatility, you extract the process's command line: 'conhost.exe -hidden -log C:\Users\Public\Temp\output.log'. Which of the following is the BEST immediate course of action to contain the threat and preserve evidence?

Question 12mediummultiple choice
Read the full Malware Forensics explanation →

Refer to the exhibit. During a malware investigation, a forensic analyst runs the commands shown. What is the most likely conclusion?

Exhibit

Refer to the exhibit.

C:\> tasklist /svc
Image Name                     PID Services
========================= ======== ============================================
svchost.exe                   1236 CryptSvc, Dnscache, LmHosts, EventSystem
svchost.exe                   1344 W32Time, WdiServiceHost
svchost.exe                    768 BFE, MpsSvc
notepad.exe                   1456 N/A
svchost.exe                    524 SessionEnv, TermService, UmRdpService
rundll32.exe                  1500 N/A

C:\> netstat -ano | findstr :4444
  TCP    0.0.0.0:4444           0.0.0.0:0              LISTENING       1500

C:\> wmic process where processid=1500 get executablepath
ExecutablePath
C:\Windows\System32\rundll32.exe

Which THREE of the following are indicators of malware persistence via registry run keys? (Choose three.)

You are a forensic analyst investigating a Windows workstation that shows signs of malware infection. The user reports that the system is slow, network activity is high, and several files have been encrypted with a .encrypted extension. A ransom note named README.txt has been left on the desktop demanding payment. You have acquired a memory dump using FTK Imager and a disk image using dd. You need to identify the malware family and gather indicators of compromise (IOCs). Which of the following is the MOST appropriate first step?

Drag and drop the steps to perform a forensic analysis of email headers to trace the origin of a spam email into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each steganography technique to its carrier medium.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Image files (BMP, PNG)

Audio files (WAV, MP3)

GIF images

JPEG images

Plain text or documents

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Malware Forensics sessions

Start a Malware Forensics only practice session

Every question in these sessions is drawn from the Malware Forensics domain — nothing else.

Related practice questions

Related CHFI topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CHFI exam test about Malware Forensics?
Malware Forensics questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Malware Forensics questions in a focused session?
Yes — the session launcher on this page draws every question from the Malware Forensics domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CHFI topics?
Use the topic links above to move to related areas, or go back to the CHFI question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CHFI exam covers. They are not copied from any real exam or dump site.